Big Day For Browser Vulnerabilities 429
An anonymous reader writes "All browsers have been reported vulnerable to different vulnerabilities today. Starting with: Internet Explorer on XP SP1/SP2, which suffers a new system compromise (of course) vulnerability. Continuing with: Opera, Mozilla / Mozilla Firefox / Camino, Safari, Netscape, Konqueror, Avant Browser and Maxthon, which all suffers some new spoofing vulnerabilitities. Demonstrations of the spoofing vulnerabilities are available here and here."
NY Times Ad... (Score:5, Funny)
Re:NY Times Ad... (Score:3, Insightful)
Whoever modded the parent as offtopic must have missed the article discussing the Firefox teams plans to buy a full page NY Times announcing the release of a better browser. It's not only "funny", it's downright "insightful".
Re:Dear God, make it STOP! (Score:3, Funny)
http://shit.slashdot.org/article.pl?sid=04/10/2
Presses have been stopped, here's corralized links (Score:2)
IE [nyud.net]
Opera [nyud.net]
Mozilla / Mozilla Firefox / Camino [nyud.net]
Safari [nyud.net]
Netscape [nyud.net]
Konqueror [nyud.net]
Avant Browser [nyud.net]
Maxthon [nyud.net]
spoofing vulnerabilities are available here [nyud.net] and here [nyud.net]."
Feel free to castrate my browser if I messed up the links, but it looks to be working just fine... for now.
Re:NY Times Ad... (Score:5, Informative)
Gentlemen (and Ladies), start your check for updates! (Tools, Options, Advanced, Check Now button)
Re:NY Times Ad... (Score:5, Informative)
Re:NY Times Ad... (Score:5, Insightful)
Once Firefox 1.0 hits the shelves I'm sure it will get security updates for a long time even after it isn't the latest and greatest version.
Re:Throw in the "of course" to bash IE (Score:4, Insightful)
hence the OF COURSE because of the poor choice of integrating the browser into the system
Been thinking about this... (Score:5, Insightful)
Possibly solutions that I've just thought up (for discussion)
While they're fixing this, if all browser makers could make sure there's an option to stop websites resizing my browser, that'd be lovely. I know Moz has this, so it can't be hard for everyone to have it.
Re:Been thinking about this... (Score:3, Insightful)
And while they are at it, how about fixing what ever is letting websites open an add window when I close them, even though I have all the "Allow websites to..." options turned off.
OT: your sig (Score:2)
Konqueror (Score:2, Informative)
That's indeed how Konqueror has fixed this in KDE 3.3.1.
Re:Konqueror (Score:2)
Perhaps now they can start taking some of the changes Apple have given them. Lots of very simple JavaScript events just don't work in Konq that work in Safari/WebCore.
Options 4 and 5. (Score:3, Insightful)
Option 5: Don't allow webpages to open windows without decorations. This is occasionally useful, but it's routinely abused by everything from pop-up ads to control-freaks who just don't want you to see how their site is structu
Re:Options 4 and 5. (Score:3, Insightful)
As someone who has dabbled in JavaScript, I disagree with some of your outs (although you should be able to disable them)...
Onload can be used to do a lot of useful things... I haven't come across the case where onexit does anything but annoying things, though...
Also, some of my newer websites have a help window that pop-ups when you click on a question mark next to certain items... so it's a "requested" popup (the only kind that sh
Re:Options 4 and 5. (Score:3, Informative)
As an Opera user, I like to answer these.
* Ability to open up a new window when I request it (onclick)
Block unwanted pop-ups [mbnet.fi]
* Ability to do useful DOM stuff
Well, this I really can't answer, since I don't know your useful. But most of the sites I see work just fine when I have enabled Javascript [mbnet.fi]
Out:-
* Scrolling text in status bar
Allow changing of status field [mbnet.fi]
* Anti-Right Click
Allow s [mbnet.fi]
Re:Been thinking about this... (Score:5, Interesting)
Re:Been thinking about this... (Score:5, Insightful)
That would alleviate the real problem slightly, but it wouldn't begin to address the general problem that javascript is given too much detailed control over the user interface. There are other ways to spoof websites, if you can get between the site and the user in any fashion.
Basically, window creation should be under the user's control. It should always be obvious that any browser window, whether it's a dialog box or a pop-up window, is a browser window. It should have enough decorations to make sure you can't confuse it with a local application. Resizable windows and dialog boxes should be optional in all browsers if they're available at all, so that web designers have an incentive to create sites that work completely in a standard window.
pwnXored (Score:2)
Everything is vulnerable (Score:4, Informative)
-Nb
Phew! (Score:5, Funny)
Re:Phew! (Score:2)
Darn, I just upgraded my Mozilla at work to 10.1, oh, well.
Re:Phew! (Score:3, Funny)
Honor System Browser Exploit (Score:3, Funny)
If you are using IE, FireFox, Opera or another graphical browser, please visit a dozen porn sites and delete two files at random from your hard drive.
If you are using Lynx or another text browser, please visit http://www.asciipr0n.com/ [asciipr0n.com] and delete three files at random from your hard drive.
Thank you for your cooperation.
All browsers? (Score:5, Funny)
I use Lynx [isc.org], you insensitive clod!
CDJRe:All browsers? (Score:5, Funny)
Must you post in HTML? I use telnet to fetch/post my web traffic you insensitive clod! It's people like you who clog up the web!
Re:All browsers? (Score:5, Funny)
Y ME 2 BUT MY IP/OP IS ALL ON PNCH CRDS IT PPLE LKE U WHO CLG UP THE WEB
Re:All browsers? (Score:2)
You use telnet? Ah, the luxury. I have to use the uucp store-and-forward mechanism to access the web. I'm lucky if I can get a page to load in under 5 minutes!
Re:All browsers? (Score:2)
+++ATH
NO CARRIER
Re:All browsers? (Score:2)
Re:All browsers? (Score:3, Funny)
On the upside, there is a phone line a few miles away, and I can whistle at 75 baud.
Of course, this was my one Slashdot post for the year, since it will take me another year just to get through the next article.
Re:All browsers? (Score:3, Funny)
What am I doing here? (Score:2, Funny)
I need to pull the plug! I gotta get off the net!
someone is going to steal all my PORN!
So, what now? I guess I pull this cord right her....
spoofing demos aren't working on my browser (Score:5, Funny)
Re:spoofing demos aren't working on my browser (Score:5, Funny)
Safari Exploit demonstration did not work (Score:5, Informative)
Re:Safari Exploit demonstration did not work (Score:2, Informative)
Re:Safari Exploit demonstration did not work (Score:5, Informative)
I just tried the exploit demonstration for Safari, but it did not work. The active tab switched back to the one providing the pop-up, not the target site. Did anyone else try it and have it work?
It switched back for me, too, when using tabs, but not when I opened the URL in another window. It doesn't much matter, though, because I think the point is supposed to be that the dialog could say "Citibank needs your SSN to access your account on our site" and 90% of the people would only know that they just opened the URL, so they'd assume it was related to that page. What's great for the Mac is that there is already an interface element Apple can use to address this issue: the sheet [apple.com]!
Slashdotted already... (Score:5, Insightful)
It's a clever one. (Score:5, Interesting)
The JavaScript pauses for a few seconds (while you presumably get distracted by another page) then flashes up a "Please enter some text" dialogue box.
A similar effect could be achieved by calling the JavaScript on pretty much any event; the vulnerability relies on it being unclear which site caused the dialogue box to pop up. I can see how it could be classed a vulnerability, but it's hardly earth shattering.
So why couldn't you be clever as well? (Score:2)
Or those who can't get to it because it's slashdotted...
On behalf of those of use who can't read it yet, we thank you for the summary.
We also chastise you for both your condescending attitude and your not posting the article.
Re:It's a clever one. (Score:5, Insightful)
A form element should not be allowed to steal the focus when it's parent is not active. With a fairly simple timer (like the ones this guys already using), a javascript
Forms should be strictly tied to their containers, and focus requests should be restricted only to the currently active window/tab/whathaveyou. I suspect that the reason this is an issue is because technically the form and the citibank page are both in the same window, the tabs are merely controlling what components are visible at any given point in time.
Re:It's a clever one. (Score:3, Interesting)
Re:It's a clever one. (Score:3, Informative)
You'd of course only want this for certain events (alerts being chiefest among them...).
all URLs slashdotted already (Score:2)
don't peopole never learn a thing ? and they xcall themselves a security company.
firefox users update now! (Score:2, Informative)
Re:firefox users update now! (Score:5, Informative)
Why?
As far as I can see, there are no updates for this problem.
Am I missing something?
I don't get it... (Score:2, Informative)
Anybody care to explain to me?
--
kTag
Netscape non-problem (Score:2, Insightful)
In other words, don't visit untrusted sites?
Now what am I going to do -- how am I supposed to reply to my email?
Vulns text... (Score:5, Informative)
Description:
Secunia Research has discovered a vulnerability in Safari, which can be exploited by malicious web sites to spoof dialog boxes.
Inactive windows can launch dialog boxes so they appear to be displayed by a web site in another window. This can be exploited by a malicious web site to show a dialog box, which seems to originate from a trusted web site.
Successful exploitation would normally require that a user is tricked into opening a link from a malicious web site to a trusted web site in a new window.
A test is available here:
http://secunia.com/multiple_browsers_dialo
The vulnerability has been confirmed in Safari 1.2.3 (v125.9). Other versions may also be affected.
Solution:
Don't visit trusted web sites while visiting untrusted web sites or disable JavaScript.
And for IE
Description:
http-equiv has discovered two vulnerabilities in Internet Explorer, which can be exploited by malicious people to compromise a user's system, link to local resources, and bypass a security feature in Microsoft Windows XP SP2.
1) Insufficient validation of drag and drop events from the "Internet" zone to local resources for valid images or media files with embedded HTML code. This can be exploited by e.g. a malicious web site to plant arbitrary HTML documents on a user's system, which may allow execution of arbitrary script code in the "Local Computer" zone.
This vulnerability is related to:
SA12321
NOTE: Microsoft Windows XP SP2 does not allow Active Scripting in the "Local Computer" zone.
2) A security zone restriction error, where an embedded HTML Help control on e.g. a malicious web site references a specially crafted index (.hhk) file, can execute local HTML documents.
NOTE: This will also bypass the "Local Computer" zone lockdown security feature in SP2.
The two vulnerabilities in combination with an inappropriate behaviour where the ActiveX Data Object (ADO) model can write arbitrary files can be exploited to compromise a user's system. This has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2.
Solution:
Disable Active Scripting or use another product.
Re:Vulns text... (Score:3, Informative)
I have just three tabs open: This
Vulnerability report vulnerability (Score:3, Funny)
Robert
Safari 1.2.3 (Score:2, Informative)
When I tried this in Safari 1.2.3, the browser switched back to the test page as it gave me the phony dialog box. The Citibank page was only visible for a second or two before Safari switched back to the exploit test page.
Doesn't seem to be a problem here... ?
Spoofing Demo Vs. Slashdot (Score:4, Funny)
Slashdot 1
Take that you evil spoofers!
Tabs bug explained (Score:5, Insightful)
So with some creative coding, properly guessed/estimated delays, you can create the impression that dialog box A belongs to tab X, while it's actually from tab Y.
I'm not sure if it's restricted to tabs. Can't get to the demo sites anymore as they're
Mozilla*.* (Score:3, Informative)
At any rate, I'm fairly confident this will be solved in a sensible way by Mozilla*.* developers.
About the second tab issue (Score:5, Informative)
As I can't link bugzilla form Slashdot... go to http://bugzilla.mozilla.org/ and type in there the bug number. (None: it's not marked there as FIXED, but you should look at the "fixed-aviary1.0" keyword, which is what matters for Firefox 1.0)
that is more of a usability problem than anything (Score:2)
Eff these browsers... all of them... (Score:2, Funny)
SIMPLICITY FOLKS!!!
Less features is better.
This is why we need CHROOT browsers (Score:5, Insightful)
Other steps must be taken to deal with these issues. What we can do is treat the symptoms.
For those using Linux or UNIX, privilege separation (running the browser process as a user ID that has limited rights) and a chroot jail would be major steps forward.
I believe the browser projects need to work with the community to support that type of runtime configuration.. Before a big nasty vulnerability does damage.
Chroot, in particular, is very tricky.
Re:This is why we need CHROOT browsers (Score:3, Insightful)
How would this help against URL spoofing?
Re:This is why we need CHROOT browsers (Score:3, Informative)
If you want add an html file on a server and use sftp://server:/path/to/file and it will still run khtml (the html rendering kpart). That is also why you
Re:This is why we need CHROOT browsers (Score:3, Informative)
Create a disposable unprivledged account "luser".
From your primary user account enter at the shell prompt:
$ xhost + local:
$ su luser
(enter password)
$ mozilla &
You can keep a publicly readable download directory in that account to retreive files you downloaded. Otherwise "luser" should have no access to other user files anywhere else, and that account can be easily
It's interesting to compare these (Score:5, Informative)
This is an excellent example of two facts:
Here's what the vulnerabilities are:
In all the non-IE browsers, there's a potential issue with how tabbed browsing works. Basically, the problem is that stuff on tabs other than the active tab can still (a) pop dialogs and (b) have the keyboard focus. It's pretty clear that (b) is just a problem that should be fixed, because although it's possible to concieve of a circumstance where a user would want to look at one tab while typing into a box on another, it's clearly way too surprising and not nearly useful enough to be allowed. But (a) is more interesting. It's a side effect of the fact that pages continue functioning in all ways even when they're not the active tab. This includes running Javascript/Java/Flash programs, loading, rendering, etc. And that's a good and useful thing. But when a background tab pops a dialog, it may appear to the user that the dialog was created by the active page. If the user trusts one page more than the other, that can lead to problems.
The solution to this dialog-popping problem isn't obvious. Perhaps dialogs need to be labeled with the name of the site that created them. Perhaps some other solution. But it will be worked on, even though the risk is fairly small.
The IE vulnerability is very different in that it's a system compromise flaw. It's similar in one way, though: it's caused by a subtle interaction of features. In this case, dragging and dropping of image or media files with embedded HTML code, which may be malicious. This malicious code isn't a problem, really, because IE is security-conscious and won't execute it -- except that Microsoft has that terrible "security zones" design feature. Once the malicious code is moved from the "Internet" zone to the "Local Computer" zone, the code will be executed. What makes it especially funny is that Microsoft fixed this problem in SP2 by changing the Local Computer zone so tht it will no longer execute Active Scripts. But yet another bug in the security zones can be exploited to bypass that "problem" so SP2 is vulnerable as well.
Security flaws are everywhere, but what really kills Microsoft is their rash of bad design decisions in the past, turning little holes into remote root exploits. They're getting better, I believe, but it's going to be a long hard road for them to patch all of the problems that are created by their bad design decisions. It's too late, of course, to change the design. Too much depends on it.
Easy solutions (Score:3, Insightful)
a) Delay displaying alert() calls until the tab is activated by the user.
b) When alert() is called, make the tab that called it become active automatically. This should provide a good visual cue of who it belongs to.
I think I would prefer the first option just so I wouldnt be distracted by the alert() box until I was going to use that tab anyways.
YAV... (Score:2)
Don't enable Javascript (Score:5, Insightful)
Once again, for all you web masters out there who cannot code a simple <a href="foo"> without using Javascript:
SOME OF US RUN WITH JAVASCRIPT DISABLED BY DEFAULT, FOR GOOD REASON!
Yes, there are plenty of places where you CANNOT do what you need to do without Javascript - in those cases go ahead and use Javascript.
But for a simple link to another page, or to an image, or to simply DISPLAY you site's content (I'm thinking of bone-headed sites like the International Herald Tribune here who use JS to display otherwise hidden text for their stories), USE HTML DAMNIT! OK, if you want to "enhance" (pronounced "clutter up with needless crap") you site by overriding those behaviors IF Javascript is enabled, knock yourselves out (preferably with a large mallet). BUT MAKE STANDARD HTML WORK AS WELL!
Yes, you may WANT your image to be in its own window, without the standard decorations a browser will add. But if I have JS disabled, make the damn link just spawn a new window and be done with it.
Re:Don't enable Javascript (Score:5, Insightful)
Re:Don't enable Javascript (Score:3, Insightful)
Easy to work around (Score:2, Informative)
NOT that we should ignore vulnerabilities (Score:4, Insightful)
I feel like a small town policeman burried under a barrage of "sky-is-falling-alert-level-puce" faxes from the HomelandSecurity to be dealt with on zero budget.
The color codes provided by Secunia are
MirrorDotting time (Score:5, Informative)
Demonstrations of vulnerabilities: here [mirrordot.org] and here [mirrordot.org]
Konqueror work-around (Score:5, Informative)
Browser windows must become hierarchical (Score:3, Interesting)
This means popups can't survive their parents, which is probably a good thing.
Visual parenting is needed, too. If the parent window is minimized or goes to the back, so should its child windows. Window headers should reflect the parent window's header.
Child windows shouldn't be allowed to position themselves entirely outside of the parent window. They should have to overlap, at least marginally. (Strict users might turn on a mode where they have to overlap totally, like subwindows in an application.) This creates a visual association between the parent and child windows.
With this, multiple window sites behave in a more tolerable manner.
We need a new view of security (Score:4, Insightful)
The notion that browsers are exposed is really only relevant in term of what is exposed and how meaningful that exposure might be to you or your enterprise. If your browser gets hijacked - ok then what are you going to lose your bank account or credit card? Are you going to lose your health management PPO records? Are you going to go to jail when the FBI finds your kiddyporn? Or do you simply take other steps to protect yourself in the case when not if your machine is cracked and taken over.
Konqueror vulnerable, really? (Score:3, Interesting)
When displaying the popup, it 1) switched back to the tab that owns it, and 2) the popup clearly contained the server name "secunia.com".
I was about to call this unhealthy sensationalism, but I haven't checked out older versions. Can anyone confirm the vulnerability in 3.3.0 and older? Thanks.
Firefox's tabs (Score:5, Informative)
Re:Whats with the dig at IE? (Score:5, Informative)
As I understand it, problem with IE vulns are that its SO tied to the OS, that even the most trivial of problems can cause much greater problems.
Re:Whats with the dig at IE? (Score:3)
I'd bet your paycheck we'll be seeing more and more of these.
http://www.thisoldgarage.com/ [thisoldgarage.com] - a friends website, check it out.
Re:Whats with the dig at IE? (Score:2)
I know most of the people on
Re:Whats with the dig at IE? (Score:2)
So many times, people get sensitive about OS issues being posted, but they LOVE to post all of the MS ones.
Re:Whats with the dig at IE? (Score:2)
Re:Whats with the dig at IE? (Score:2)
Re:Whats with the dig at IE? (Score:4, Insightful)
Let's pretend, for a minute, that a system compromising vulnerability is "equally serious" as a spoofed URL. This will take some imagination and serious role-play, but we can do it.
Now that we have that in place, let's look at this issue: when will the Mozilla development team fix the issue, and when will Microsoft?
I don't know about you, but my money's on Mozilla.
Re: (Score:3, Informative)
You have to be kidding. (Score:5, Informative)
Mozilla etc... "If the user explicitly opens a page in a background tab, it may not be possible to tell what webpage a dialog box is associated with". Note that the exploit can not open a page in a background tab, it can only take advantage of that if it happens.
Exposure: If the user can first be tricked into opening a page in another tab, and the exploiter can guess whether the user has "open tabs in background" (or the equivalent option) selected or not, then they may be able to trick them into entering confidential information a little easier. There are other ways to get similar results without having to trick the user twice, using frames or with multi-stage popups.
Internet explorer: The exploit can be used to launch web pages in the local security zone. The hole here is really the fact that there is such a thing as a "local security zone" at all. For seven years now, exploit after exploit has used this design flaw in the HTML control to run arbitary code as the local user. Spyware, viruses, worms, spam bots, over and over again, malicious software has gained its initial foothold through variants of this attack.
Exposure: Visiting a web page can allow an attacker to take over your computer, without any further action on your part.
And you say "The Mozilla etc problem seems equally serious."?
Jesus.
Re:Whats with the dig at IE? (Score:3, Insightful)
You're new here aren't you.
Expect lots of BS rationalizing. I dont see why people just dont admit to their bias and be done with it. I mean seriously, if you're a conservative don't tell me you're fair and balanced. If you're an OSS nut, don't tell me you're being fair. You're not. You're advocating something. People tend to appreciate
Re:Whats with the dig at IE? (Score:3, Insightful)
I admit to being biased against a company whose browser exploit allows remotely initiated code execution without user interaction as opposed to the organization which produced the browser whose "exploit" is that you can't tell which tab generated a popup.
Re:Whats with the dig at IE? (Score:5, Insightful)
Re:Whats with the dig at IE? (Score:4, Insightful)
Ummm No not really. In fact it does not seem all that much like a bug at all. More like an artifact of using tabs. There are a few fixes that will be easy to put into all the tabbed browsers.
1. When a dialog is opened the requestiing page is brough to the top.
2. Put the calling URL on the Dialogs title bar.
3. Do not dialogs to be displayed if the the calling page is not in the foreground.
The Mozilla/other browser issues "Could" allow someone to be fooled but you would really have to work at it. The IE issue seems to allow the remote execution of code on your system. The potental damage seems much higher to me.
Of course if you are right and they are equal and Mozzilla has a fix before Microsoft then it would show that Mozilla can fix major security issues better than Microsoft.
Re:Whats with the dig at IE? (Score:2)
It reminds me of why it used to be that everyone would always lock the keyboard in xterm before typing in any passwords. Strangely modern terminals in Linux don't seem to have that option any more.
This is just another example of that problem.
Re:The Mozilla exploits are a JOKE (Score:4, Insightful)
Re:Whats with the dig at IE? (Score:2)
WARNING: Don't click on link. (Score:4, Informative)
Re:Oh my Gosh... (Score:5, Funny)
And how long IE will take?
Didn't think so.
Re:Oh my Gosh... (Score:2)
IE: Before Chiristmas.
Re:Oh my Gosh... (Score:2)
Re:Tabs (Score:4, Insightful)
Re:Tabs (Score:2)
You mean this wouldn't happen if you just opened multiple windows instead of multiple tabs?
Re:Nasty on Avant (Score:3, Informative)